pcapng

This post is part 1 in a series of posts on trace file anonymization/sanitization. In this series, I will be focusing on three individual tools that each accomplish capture file anonymization. The general use of capture anonymization is to allow capture file owners to obfuscate potentially sensitive data within the files to prepare them for consumption in a non-secured environment. Most likely scenario would be preparing a trace to send to a vendor or consultant. There are differing levels of sanitization within a trace file ranging from removal of .pcap metadata (comments within .pcapng files) all the way to the removal of all payload data after layer 4 and total randomization of any other potentially identifiable information within the frame. The three tools I'll be focusing on in this series are: TraceWrangler tcprewrite from AppNeta SCRUb-tcpdump TraceWrangler TraceWrangler is a GUI based trace obfuscation tool built exclusively for Windows. It supports .pcapng file formats as well as .pacp and .cap. At the time of writing, the last development release was in Sept. 2013. In this exercise, I will work through a basic process of ingesting a trace file, anonymizing the IPv4, IPv6, and MAC addresses within the capture, then exporting it to a sanitized version of the file. In this case, we are required to keep the payload data of an HTTP request. These steps will not remove any potentially sensitive data within the payload, however TraceWrangler has the capability to do that. I would encourage you to check out the documentation to understand that process. Let's start with our initial capture file. In the screenshot below, you can see that my original IP addresses, as well as MAC addresses are visible. My host: IP - 192.168.0.10 MAC - 24:77:03:0c:ca:9c Remote host: IP - 192.167.20.246 MAC - 40:8b:07:ab:38:80 Now let's fire up…